Skip to main content


Showing posts from 2010

owasp 4th meetup

web application firewall


Welcome Phaser 3124, so long Docuprint 203A
I bought my second printer, Fuji Xerox Docuprint 203A when I did my masters degree in USM back in 2006. At that time I printed out papers and stuffs with that printer, without much hassle. Once I reported back to my workplace, the printer left idle in the store room since most of the time I just print stuffs in the office (and not much need to print paper since usually I just printed out exam questions for my students). 
In 2010, I've to use my printer back. Unfortunately, when I lived in my old rented house, the printer was colonized by pests, even the box was munched out. So I've to clean out the printer so that it'll look okay. Yeah, perhaps I am wrong, after a rim papers was printed out, the printer experienced problem, it won't work. Say, for example, I want to print a page, it will print two, one sheet where it suppose to get the writings printed, another one just blank sheet. But most of the time it won't print at al…
Pattern Search Algorithm

Algorithms, specifically pattern matching algorithm widely being used in information processing areas, such as bioinformatics and computer security.
In computer security domain, this includes packet inspection, file maliciousness detection and such. To name a few, Aho-Carosick being used for one IDS' string search (not sure if it still using it). Then there are anti viruses looking for certain string for their signature matching detection.
Kippo Honeypot
My laptop currently running Kippo honeypot which can be downloaded here. It supports MySQL database (and soon, the author plans to support SQLite, I am not sure as an option or successor). Basically it's a honeypot which listen on SSH service on port 2222, which, if you're running on Linux for example you can reroute from port 22 (the normal port).
As in my case, I am currently running this service behind NAT, so I've to do the port forwarding thing prior to make it work.
This can be achieved by;
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 22 -j REDIRECT --to-port 2222
And you can check it by;

iptables -t nat -vL Chain PREROUTING (policy ACCEPT 46764 packets, 3114K bytes)  pkts bytes target     prot opt in     out     source               destination     1    60 REDIRECT   tcp  --  eth1   any     anywhere             anywhere            tcp dpt:ssh redir ports 2222
I have plenty of attempts including a brute force attempts with Japanese dictionary passwords. …
TFTP and Emulate view

I enhance a bit Markus' SQL query with

  (                SELECT                        COUNT(*)                FROM                        (                                SELECT                                        MIN( AS download                                FROM                                        downloads AS a                                JOIN                                        connections AS b ON(a.connection = b.connection)                                GROUP BY                                        a.download_md5_hash                                HAVING                                        strftime('%Y-%m-%d',MIN(b.connection_timestamp),'unixepoch','localtime')                                = strftime('%Y-%m-%d',connections.connection_timestamp,'unixepoch','localtime')                        ) AS newdownloads                        NATURAL JOIN downloads                WHE…
From Paris with Love ...!

Saya berpeluang berjalan-jalan di Kota Paris, bersama isteri saya selepas kira-kira enam bulan perkahwinan kami (macam honeymoon lah tu!). Kami bertolak berdua dari Stesen Keretapi St Pancras di London, dan tiba di Stesen Keretapi Gare Du Nord di Paris. Perjalanan adalah kira-kira 2 jam, merentasi terowong bawah laut Selat Inggeris. Di Paris kami tidak punya banyak masa, disebabkan cuti isteri saya yang pendek, kami hanya ambil cuti seminggu sahaja untuk pusing-pusing di Ireland, UK dan Perancis. Kenangan di Perancis lebih mencabar kerana sahabat kami yang mulanya menemani perjalanan di UK dan Ireland (dia belajar di Dublin) tidak dapat menemani kami, kerana ada kelas. Nak harapkan orang yang tak pernah study oversea macam kami ni hehehehe

Maka perjalanan pun bermula...!
Setelah sampai di Gare Du Nord tadi, kami perlu mencari penginapan kami, hotel bajet yang terletak di Rosny (macam nama Dekan saya dulu, Dr Rosni). Mula-mula kami naik keretapi RER dan turun di…
Gnuplot stuffs
Yeah, long time not dealing with Gnuplot now it's up to it again. Since my machine didn't get a lot of binaries compared to other people out there who might have vast range of public IPs, so here goes.
This is the content of my uniqfiles.txt

2010-06-18|108|12|98|11|11 2010-06-17|96|25|87|20|19 2010-06-16|71|4|67|3|2 2010-06-15|67|2|64|2|2 2010-06-14|65|8|62|8|8 2010-06-12|57|8|54|8|8 2010-06-09|49|4|46|4|4 2010-06-08|45|7|42|6|6 2010-06-06|38|7|36|7|7 2010-06-05|31|8|29|8|8 2010-06-03|23|3|21|3|3 2010-05-31|20|2|18|2|2 2010-05-26|18|4|16|2|2 2010-05-25|14|2|14|2|2 2010-05-23|12|4|12|4|4 2010-05-22|8|3|8|3|3 2010-05-20|5|5|5|5|5
which actually derived from the following (if you want to see what it means...)

How to visualize them, refer Markus' write up here .
This is what I got;

I changed a little bit on the scale since 600x120 seems so squeezed on my plot.
Afterglow stuffs
I have been using Afterglow yesteryears back in 2008, when I submit my "conference paper" on what I fetched from my Nepenthes sensors. Tonite I just followed Markus tips on creating the same stuffs, the only thing that triggered me to try out was getting the data from SQLite, something which I never done before since usually I simply create an AWK script (sigh, what a waste) aka log parsing. So 2000 late.
This is what I did,

The following are sanitized IPs:

Read the rest from Markus
Mwcollectd v4
Mwcollectd is written by 0xff (Georg Wicherski), now that since I plan to contribute back to mwcollect alliance, I've to get a software which provides module for the binaries submission. Nepenthes will do, with the submit-mwserv.conf module (however, I'm yet to know how to enable this, either by editing nepenthes.conf or something). Dionaea, I'm not sure yet since I can't find the module for the submission. 
For the mean time I go for Mwcollect, perhaps until I can figure out how to do this on Nepenthes/Dionaea. 
If you wondering what mwcollect is, go here . There is also slides which presented stuffs on mwcollect.

Dionaea, XMPP and SQLiteman

The following is what it's look like for the normal log.

But since we have the SQLiteman client, simply invoke the SQL statement, and query the data as you like ;-)


I read about SURFIds long, long time ago but never actually tried it. Today I managed to download the demo image which basically a Debian image, 500MB+ file.
Here goes. I open up the file using first, Virtualbox (but since I do not know how to redirect the web server to the host browser, I simply use QEMU since I got the experience of redirecting the TCP connection on QEMU).
Malaysian Open Source Conference 2010 (MOSC 2010)

My talk has been accepted by MOSC 2010, entitled "Internet Malicious Miscreant. This annual event will be held in Berjaya Times Square, Kuala Lumpur, Malaysia from 29th June until 1st July 2010. At first I was very reluctant to participate as a speaker since for security domain, there are many people out there who are actually working for their bread and butter for this. Anyway, since not to disappoint Fazli, I'll give what I've done throughout these years.
Seems from the list of speakers, some of them are international speakers, so don't miss the chance to attend this talk!
Register here, discounts waiting for the early birds!
SQLite and Dionaea

Markus shared that in order to use SQLite which manipulates loqsql.sqlite in the default /opt/dionaea/var/dionaea/logsql.sqlite, sqlite3 should be used. Also instead of using the creepy SQLite statement, use sqlman instead as follows:

also, since Markus already upgraded the Dionaea code, you don't need to use XMPP client either PSI or Pidgin based, instead just invoke  /opt/dionaea/bin/dionaea -l all,-debug -L 'logxmpp'

Psi and Pidgin with Dionaea Honeypot (XMPP support)

XOR Problem

Recently I offered to the members of mypenguin99, to get my encrypted with XOR file decrypted. (I was using xor-analyze, and never mentioned the keylength, and the tool that I chose to encrypt). Bro Bahathir unsurprisingly  managed to solve the problem in no time (yeah, need some time to google and decrypt). In this case we need a collision from a dictionary of widely used words, so that the real message can be guessed. 
Although XOR considered a primitive cryptography, it is being used by malware writers to encrypt part of their payloads, as being written here
Dionaea with XMPP

I was actually wonder why Nepenthes sensors and Dionaea did not catch any malware since 8th April. It's more than a month now. So I decided to look to the other way despite looking at the empty, boring folder.

But I'm not sure whether my config is correct, although I guess I already able to login.

You might also want to use XML Console within Psi
Books: Computer Worms by Jose Nazario
I borrowed a book from my employer's resource center and this book seems seminal for a malicious code research, especially on computer worms.

A security professional educated in Biochemistry (PhD), Jose Nazario who is currently working with Arbor Networks needs no introduction. Worth to read, although it was published in 2003.
I bought several books for my study literature, one of them is
"Botnets, The Killer Web App" which covers the technical parts of botnet. At first I doubt the book actually cover the common botnet that people talk about, but after I read the book, yes sure it is. I suggest the word "killer web app" to be phased off, since it is not always dealing with Web... port 6667 isn't Web, port 80 and 443 always Web.

Prior to that I already got Provos and Holz's
Virtual Honeypot's book. This is also a technical book, finely grained covered on howtos of the honeypot including the popular Nepenthes (although now it's already dead, succeeded by Dionaea).
Changing filenames to lowercase/capital

Changing to ALL lowercase

Say we have tonnes of AVI files:

 for i in *.avi; do mv $i `echo $i |tr [A-Z] [a-z]`;done
Another way around, changing from mixed to CAPITAL

 for i in *.avi; do mv $i `echo $i |tr [a-z] [A-Z]`;done
I bought this book, Hacking Exposed: Malware & Rootkits several months back, while it is still new! A good read and really worth for your money. It keeps you update with current stuffs and first of its kind within Hacking Exposed series. Perhaps more to come in the same title in future!
If you comfortable shopping online, just visit Amazon and get the latest copy here HACKING EXPOSED MALWARE AND ROOTKITS
sctest, tool in libemu

I recently just tested out sctest, a tool to process shellcode provided in libemu.

The usage is as follows:

sctest -gS -s 10000 -v -G 

Basically there are several steps prior to that (which I need a friend to help me out!).

Say, I have a file called hexdump.txt;

Try with 10, 000 steps:

$ sctest -Ss 10000 -g < hexdump.txt

verbose = 0success 

offset = 0x00000005

stepcount 10000

Try with 100, 000 steps we got this:

$ sctest -Ss 100000 -gv < hexdump.txt

verbose = 1success 

offset = 0x00000005

stepcount 100000

HMODULE LoadLibraryA ( LPCTSTR lpFileName = 0x0012fe80 => = "ws2_32";) = 0x71a10000;int WSAStartup ( WORD wVersionRequested = 2; LPWSADATA lpWSAData = 1244276;) = 0;SOCKET WSASocket ( int af = 2; int type = 1; int protocol = 0; LPWSAPROTOCOL_INFO lpProtocolInfo = 0; GROUP g = 0; DWORD dwFlags = 0;) = 66;int bind ( SOCKET s = 66; struct sockaddr_in * name = 0x0012fe6c => struct …
Marking Nepenthes' log with GeoIP

I always wanted to let my Nepenthes log meaningful, rather than cryptic columns which is pretty much boring.

So this is what I did after several searches on the Net... some of the link just show the result, and I wonder why don't they just *put* the script online. Here goes!

Let say, I am processing /var/log/nepenthes/logged_downloads df51e3310ef609e908a6b487a28ac068 1d419d615dbe5a238bbaa569b3829a23 e269d0462eb2b0b70d5e64dcd7c676cd 98eb0fdadf8a403c013a8b1882ec986d e269d0462eb2b0b70d5e64dcd7c676cd 2fa0e36b36382b74e6e6a437ad664a80

I want it to be:

Russian Federation , , 7d99b0e9108065ad5700a899a1fe3441
Russian Federation , , 7d99b0e9108065ad5700a899a1fe3441
Russian Federation , , 7d99b0e9108065ad5700a899a1fe3441
Russian Federation , , 7d99b0e9108065ad5700a899a1fe3441
Russian Federation , , 7d99b0e9108065ad5700a899…
Burn CD dengan dd command

Dah lama tak menulis.. agak sibuk. Tadi baru burn CD gune DD command..dah lama tak main "dd" ni...

Mula-mula check kat mana posisi disk kita...

root@auber:~# cdrecord -scanbus

1,0,0 100) 'TSSTcorp' 'CD/DVDW SH-S182F' 'SB01' Removable CD-ROM
1,1,0 101) *
1,2,0 102) *
1,3,0 103) *
1,4,0 104) *
1,5,0 105) *
1,6,0 106) *
1,7,0 107) *

Then kalo tengok kat atas posisi dia 1,0,0...

root@auber:~# cdrecord -v -dao -dev=1,0,0 /backup/debian-504-i386-CD-1.iso

TOC Type: 1 = CD-ROM
scsidev: '1,0,0'
scsibus: 1 target: 0 lun: 0
WARNING: the deprecated pseudo SCSI syntax found as device specification.
Support for that may cease in the future versions of wodim. For now,
the device will be mapped to a block device file where possible.
Run "wodim --devices" for details.
Linux sg driver version: 3.5.27
Wodim version: 1.1.9
SCSI buffer size: 64512
Device type : …
Somebody asked me about GRE, so I archive it here...
salam, just started my far very bz with classes.
GRE: to register for this exam you have to register from ETS, it handles TOEFL exam too, fee for GRE is around USD170 (last year), while TOEFL is around USD150.
Last time I chose to take the exam at Prometric(nearby LRT Dang Wangi, so it's easy to catch the train since it begin 900AM, otherwise you can choose for evening).
I did not really prepare for GRE and TOEFL since I had wedding weeks before.. so busy with something else. Nevertheless the M'sian govt decided not to send the rest of us overseas, so actually taking both pretty much a waste (sigh). But later I took IELTS, and score quite well, also pointless(I got an offer to Australia though).
Anyway.. GRE has two sections, quantitative and qualitative, finally analytical writing. Quan. is much like high school math, but you've to get the first few questions right..otherwise your score will be low, since the nex…